Network and Host Exploit Mitigation does find Ransomware Attack and does NOTHING

I need a solution

We support a full SEP secured network which was attacked by a ransomware trojan which is long known by SEP.
The first infected machine stopped the client but the others noticed the attack by the network and Host exploit mitigation part right away. Seems like a good job.
BUT then nothing happens. In my opinion SEP should now have isolated that machine right away, so that the ransomware isnt’t able to spread itself.
Instead – nothing happens. The trojan is able to infect all fileshares, despite SEP knowing what he is doing.

How can that happen?????????

Support told me there is no mechanism to stop it. Every port scan triggers a 600 seconds block of the attacker, but a trojan can do its encryption without any action by SEP?!? That doesn’t look right.

We hardend our network to withstand an attack like that, but still SEP should be able to take an action after a finding like that.

Any Idea?



  • No Related Posts

BankBot Android malware sneaks into the Google Play Store – for the third time

Video: Cybercriminals manipulate search results to raid bank accounts

The Google Play Store is unintentionally distributing a particular form of Android banking malware for the third time this year.

BankBot first appeared in the official Android marketplace in April this year, was removed, and then was discovered to be have returned in September before being removed again. Now BankBot has appeared in the Google Play store yet again, having somehow bypassed the application vetting and security protocols for a third time.

BankBot is designed to steal banking credentials and payment information. It tricks users into handing over their bank details by presenting an overlay window which looks identical to a bank’s app login page.

The malware is capable of identifying a variety of financial and retail mobile apps on the infected devices and tailors the phishing attack to display a fake version of the banking app the victim uses, if the target bank is recognized by the malware.

If the user uses text messages as a form of two-factor authentication, the malware is also capable of monitoring these in order to provide attackers with all the information they need to raid the victim’s banking information

Discovered by researchers at RiskIQ, the latest version of BankBot to infiltrate the Google Play store is disguised as an app called ‘Crypto currencies market prices’ — complete with a phony ‘Verified by Play Protect’ logo in order to make it look as if it is a known and trusted app.


The app as it appeared in the Google Play store – complete with false ‘verified’ badge.

Image: RiskIQ

To the user, the app looks as if it is designed for comparing cryptocurrency prices with other forms of money, and is even equipped with a legitimate application for cryptocurrency monitoring — which is partly how the app manages to bypass Play Store security checks.

By giving the user an app which actually works, the group behind it are increasing the likelihood of achieving their goals, as a user is likely to uninstall an app which crashes or doesn’t work.

When initially installed on the device, the app asks for a variety of intrusive permissions, including the ability to read and send messages, access the internet, and write to external storage.

These ultimately provide BankBot with all the permissions it needs to overlay fake login screens, then extract the stolen information and send it back to the attacker — be to make purchases for themselves, or to sell on the stolen credentials.

See also: Can Google win its battle with Android malware?

The attackers behind BankBot update it regularly. Since first appearing earlier this year, the malware has gained improved code obfuscation, a more sophisticated payload dropping functionality, and the ability to exploit Android’s Accessibility Service in a similar way to other forms of mobile banking malware.

Since being detected, the malware distributing ‘Crypto currencies market prices’ app has been removed from the Google Play Store. The malicious app was downloaded a few thousand times.

Google maintains that it keeps the vast majority of its 1.4 billion Android users safe from malware.

But this marks yet another embarrassing incident for Google when it comes to Play Store security. Recently a fake version of WhatsApp was recently downloaded by over a million users before it was discovered and removed.

ZDNet has attempted to contact Google for comment on the latest BankBot discovery, but had not received a response at the time of publication.


The Android malware tricks victims into handing over their online banking credentials.

Image: iStock

Previous and related coverage

This Android flaw is ‘used by most ransomware’. But Google won’t fix it until Android O

Malicious Android apps are targeting Google’s exception to a security rule for apps installed from Google Play. Just pray Google can stop malicious apps from appearing on its store.

This bank data stealing Android malware is back – and it’s now even sneakier

BankBot trojan malware waits twenty minutes after the app is used before moving to run its payload.

IT leader’s guide to the threat of cyberwarfare [Tech Pro Research]

This ebook looks at how today’s security threats have expanded in their scope and seriousness–and how cyber weapons may define international conflicts in the future.



Are DataDomain systems vulnerable to “ransomware” software such as CryptoLocker?

Data Domain

Such as described in the following Wikipedia page, CryptoLocker is one of many different malware trojans of the same kind which, when infecting a target desktop or server, searches for certain types of files, automatically encrypts them with strong cryptography and a secret key, and then informs the user to pay some ransom (typically in the form of Bitcoins through the Tor network) if they want the encryption key sent to get the user data back:

Although CryptoLocker is only known to target Microsoft Windows desktops and servers, one can’t rule out versions of the same to have been released for other operating systems, such as MAC OS X or even server-like operating systems. The DataDomain Operating System (DDOS) is based on Linux, and there is no reason to think CryptoLocker can directly run on it, with the added difficulty for the malware to first land in the DD and be run by the administrator.

Therefore, a DD may be not vulnerable to a direct attack through CryptoLocker, but it will not be invulnerable to malware infecting any desktop or server which has access to files stored in the DataDomain FS, and the files themselves being encrypted through the network, and hence their contents unavailable to the user.

If you eventually find CryptoLocker or any other malware working in a similar way has infected some desktop or server, which could have possibly had CIFS or NFS access to the DataDomain, while you determine the extent of the damage:

  1. Disconnect the infected desktop or server from the network to avoid any further propagation of the malware
  2. If possible, until determining the extent of the infection, disconnect the DD from the desktops and servers by disabling CIFS and NFS support where applicable, or add the necessary access lists on the DD side to prevent suspect desktops / servers from accessing the data in the DD
  3. If there is any chance any data in the DataDomain FS to have been affected, please stop DataDomain clean if running, and disable clean from running until a later stage

For a detailed resolution please refer to DELL EMC Support Solution 490993


Top Services Topics



Trojan.backdoor Activity 179

I do not need a solution (just sharing information)

This signature detects Infostealer activity on the infected machine that could result in the downloading and executing of files from the Internet on a compromised host. Infostealers are malwares that steals information on the compromised computer and also downloads and executes files from the Internet.

  • What kind of a threat are Trojans and what can they do?

There is probably no internet user, who has not heard about the infamous Trojan horse infections and their harmful and destructive capabilities. There are a number of reasons for these malicious pieces of software to be so popular and maybe the biggest one of them is their stealthy and tricky nature. An infection like Trojan.backdoor Activity 179, for example, is really difficult to detect and oftentimes the users do not realize that their machine has been infected before major damage occurs. Another thing that this nasty type of software is famous for is its extreme versatility. The hackers, who control it, can use it for a number of malicious deeds and, as long as the malicious Trojan script runs on the computer with Administrator privileges, it can literally provide them with unlimited access to all of the computer’s files and resources. With such access, it is extremely easy for the criminals to cause various types of harm or use Trojan.backdoor Activity 179 to do some fraud or theft.

  • Which devices are Affected with this attacks?

    • Verious Windows machine.
  • Severity

    • High

    • This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
  • how to remove this trojan?

    • Disable System Restore (Windows Me/XP). 
    • Run full system scan with Symantec Antivirus or Norton Antivirus products.
    • Restart Machine and start command promote than scan.